Issue:

After setting up Session Assurance, we are testing if the feature works by accessing first from a browser to the protected resource to generate the user session, and then from a different browser we replay the session. We are seeing the user is being able to access to the resource, when it is expected to be challenged for credentials again.

Cause:

By default, the DeviceDNA Refresh Interval is set to 300 seconds, which specifies the amount of time the DeviceDNA associated with a user is valid. Only user without a valid DeviceDNA are redirected to the Endpoint where the server obtains current DeviceDNA for the user. If the Endpoint has the DeviceDNa refresh interval set to 300 seconds, and the time between both access requests is lower than this, the server checks via Session Assurance to check the session validity.